DNS can be compared to a game of chess in that its rules are simple, yet the possibilities it presents are endless. While the fundamental rules of DNS are straightforward, DNS implementations can be extremely complex. In this study, we intend to explore the complexities and vulnerabilities in DNS response pre-processing by systematically analyzing DNS RFCs and DNS software implementations. We present the discovery of three new types of logic vulnerabilities, leading to the proposal of three novel attacks, namely the TuDoor attack. These attacks involve the use of malformed DNS response packets to carry out DNS cache poisoning, denial-of-service, and resource consuming attacks. By performing comprehensive experiments, we demonstrate the attack’s feasibility and significant real-world impacts of TuDoor. In total, 24 mainstream DNS software, including BIND, PowerDNS, and Microsoft DNS, are affected by TuDoor. Attackers can instigate cache poisoning and denial-of-service attacks against vulnerable resolvers using a handful of crafted packets within 1 second or circumvent the query limit to deplete resolution resources (e.g., CPU). Besides, to determine the vulnerable resolver population in the wild, we collect and evaluate 16 popular Wi-Fi routers, 6 prevalent router OSes, 42 public DNS services, and around 1.8M open DNS resolvers. Our measurement results indicate that TuDoor could exploit 7 routers (OSes), 18 public DNS services, and 424,652 (23.1%) open DNS resolvers. Following the best practice of responsible disclosure, we have reported these vulnerabilities to all affected vendors, and 18 of them, including BIND, Chrome, Cloudflare, and Microsoft, have acknowledged our findings and discussed mitigation solutions with us. Furthermore, 33 CVE IDs are assigned to our discovered vulnerabilities, and we provide an online detection tool as one of the mitigation measures. Our research highlights the urgent need for standardization of DNS response pre-processing logic to enhance the security of DNS.
This paper proposes the TuDoor Attack, by systematically exploring and exploiting logic vulnerabilities in DNS response pre-processing with malformed packets, leading to DNS cache poisoning (1s), denial-of-service, and resource consuming attacks.
CVE (33)
Microsoft: CVE-2023-32020
Knot: CVE-2023-26249
PowerDNS: CVE-2023-26437
Simple DNS Plus: CVE-2023-28453
Technitium: CVE-2023-28451
CoreDNS: CVE-2023-28452
Python DNS Lib: CVE-2023-29483
Golang DNS Lib: CVE-2023-29481
Node.js DNS Lib: CVE-2023-30578
c-ares: CVE-2023-32067 (CVE-2023-30579)
dnsjava: CVE-2023-29482
pdnsd: CVE-2023-30580
AdGuard Service: CVE-2023-41173
Technitium: CVE-2023-28457
CoreDNS: CVE-2023-30464
Acrylic DNS Proxy: CVE-2023-32771
Acrylic DNS Proxy: CVE-2023-32775
AdGuard Software: CVE-2023-32770
AdGuard Software: CVE-2023-32773
DNS Safety: CVE-2023-32772
DNS Safety: CVE-2023-32776
Dual DHCP DNS: CVE-2023-30632
NxFilter: CVE-2023-32769
YogaDNS: CVE-2023-32774
YogaDNS: CVE-2023-32777
Tenda AX2PRO: CVE-2023-31053
TOTOLINK: CVE-2023-31049
Nighthawk RAX70: CVE-2023-31055
SKYWORTH-wr9651x: CVE-2023-31052
MERCURY D191G: CVE-2023-31051
XIAOMI AX3000: CVE-2023-31050
ikuai8: CVE-2023-31054
Presentations